Severity: High
Description: This control ensures that bucket policy enforcing "SecureTransport" exists for all the objects inside of a bucket. S3 buckets should be configured to strictly require SSL connections to deny unencrypted HTTP requests when dealing with sensitive data. Encryption in transit mitigates the risk of data leakage and disclosure of sensitive data while data in transit. This provides protection from sniffing attacks especially when buckets and objects are being accessed outside of the trusted network.
Remediation Steps:
...
Perform following to update S3 bucket in transit encryption :
Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to s3 console.
In the navigation pane, select buckets.
Click on the bucket to be modified, click permissions.
Choose Bucket Policy.
If there is no existing bucket policy for a bucket define one with json:
Code Block { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::[Bucket-Name]", "arn:aws:s3:::[Bucket-Name]/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } }] }
If there is already a bucket policy, in Statement section append json mentioned below:
Code Block { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::[Bucket-Name]", "arn:aws:s3:::[Bucket-Name]/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } }
Choose Save.
Important:
In Bucket Policy for "SecureTransport", setting resource to "Resource": "arn:aws:s3:::[Bucket-Name]/*" will enforce "SecureTransport" configuration to all the objects inside the bucket but not on bucket url itself. However, Setting resource to "Resource": "arn:aws:s3:::[Bucket-Name]" will enforce "SecureTransport" configuration to the bucket itself but not on objects inside the bucket.
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule